12-30-2020 04:39 AM
I have a 6 nodes deployement : 2 PAN, 2 MNT and 2 PSN ( Physical appliance)
Each time I restart the ADMIN (Master) node, I cannot go to context visibility.
I have this error :
"unable to load Context Visibility page. Ensure that reverse DNS lookup is configured for all Cisco ISE nodes in your distributed deployment in the DNS server(s). Exception: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];
I have to do the commande "Application config ise", and reset context visibility and the 2 admin node. After that, everithing is working fine, until I reset the Admin node.
However, the DNS and reverse DNS is OK for all 6 node.
I have not this pb , with the other admin node.
i.e: If I promote the other admin node, I have not this pb when I restart it.
I also reinstall the first admin node from scratch.
Can someone help me ?
12-30-2020 06:27 AM
Hi
why dont u want to call the TAC on the subject (unless u r able to find any relevant bug-id on CCO)? did u try any of those options?
btw here is very familiar issue with workaround for 2.1 SW i've found in 1 min:
12-30-2020 07:51 AM
HI, I am already involved with TAC. But till now ,they did not find the issue.
This is strange that the pb is not symetric: When the PAN-Node1 is master, I have this pb, When the Pan Node 2 is master , I do not have this pb. Allthough I reimage the Pan-Node1.
The pb has 2 other consequence:
The home page display "no date available " in some dashlet.
And the backup, could not be done.
I guess there is maybe some issue with the client environnement , between the 2 pans.
Michel
12-30-2020 09:41 AM
did u notice within the above reference the certificates of PAN nodes must populate trusted certificate store in the cube to get rid of issue? i'd recommend u verify this approach & let us know.
12-31-2020 12:16 AM
I tried that. Same issue.
I think this is not necessary because ISE PAN do'nt use self signed certificate. They are generate by the client PKI.
12-30-2020 10:46 PM
Hi @mmisonne
try to Replace the ISE Root Certificate Chain by:
1. Administration > System > Certificates > Certificate Authority > Internal CA Settings:
click the Enable Certificate Authority button
2. Administration > System > Certificates > Certificate Management > Certificate Signing Requests:
Certificate(s) will be used for: ISE Root CA
click the Replace ISE Root CA Certificate Chain button
3. Administration > System > Certificates > Certificate Authority > Internal CA Settings:
click the Disable Certificate Authority button
Hope this helps.
12-31-2020 12:28 AM
Hi Marcello,
I already tried that.
Indeed, it solve the ISE messaging pb:
Before, I could not use Ise messaging for inter-node syslogs.
And I had lots of queue-link error in the alarm Dashboard.
But unfortunately, it does not solve my Context visibility pb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide